3
Bina Nusantara University 2 Risk & Control Perlu Control karena ada Risk (dari Italia Risicare, dalam English to dare): “the action we dare to take, which depend on how free we are to make choices”.

4
Bina Nusantara University 3 Overview of Control Concepts What is the traditional definition of internal control? Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.

5
Bina Nusantara University 4 Overview of Control Concepts What is management control? Management control encompasses the following three features: –It is an integral part of management responsibilities. –It is designed to reduce errors, irregularities, and achieve organizational goals. –It is personnel-oriented and seeks to help employees attain company goals.

6
Bina Nusantara University 5 Internal Control Classifications The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications: –Preventive, detective, and corrective controls –General and application controls –Administrative and accounting controls –Input, processing, and output controls

8
Bina Nusantara University 7 Committee of Sponsoring Organizations In 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems. The report has been widely accepted as the authority on internal controls.

11
Bina Nusantara University 10 Five Interrelated Components of Internal Control 1. Control environment- tone at the top 2. Risk assessment - identification/analysis of risks 3. Control activities - policies and procedures 4. Information & communication - processing of info in a form and time frame to enable people to do their jobs 5. Monitoring - process that assess quality of internal control over time

12
Bina Nusantara University 11 Information Systems Audit and Control Foundation The Information Systems Audit and Control Foundation (ISACF) recently developed the Control Objectives for Information and related Technology (COBIT). COBIT consolidates standards from 36 different sources into a single framework. The framework addresses the issue of control from three vantage points, or dimensions:

14
Bina Nusantara University 13 CobiT CobiT’s Control Objectives and Management Guidelines are valuable IT governance tools that help in the understanding and management of risks and benefits associated with information integrity, security and availability and the management of related IT.

15
Bina Nusantara University 14 Authoritative, up-to-date set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors. Structured and organized to provide a powerful control model

20
Bina Nusantara University 19 Why and how is COBIT used?  Incorporates major international standards  Has become the de facto standard for overall control over IT  Starts from business requirements  Is process-oriented IT Processes IT Management Processes IT Governance Processes C OBI T repository for C OBI T as a response to the needs best practices

23
Bina Nusantara University 22 Control Objectives & Control Practices High-level control objective – One per process Detailed control objectives – Three to 30 per process Control practices – Five to seven per control objective

32
Bina Nusantara University 31 Relation to Other Control Models CobiT is in alignment with other control models: – COSO – COCO – Cadbury – King

33
Bina Nusantara University 32 CobiT : An IT control framework u Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. u Promotes process focus and process ownership u Divides IT into 34 processes belonging to four domains u Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT u Effectiveness u Efficiency u Availability, u Integrity u Confidentiality u Reliability u Compliance. u Planning u Acquiring & Implementing u Delivery & Support u Monitoring

34
Bina Nusantara University 33 Why governance? “Due diligence” IT is strategic to the business IT is critical to the business Expectations and reality don’t match IT involves huge investments and large risks

35
Bina Nusantara University Non- Existent InitialRepeatableDefinedManagedOptimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for symbols usedLegend for rankings used 0 - Management processes are not applied at all 1 - Processes are ad hoc and disorganised 2 - Processes follow a regular pattern 3 - Processes are documented and communicated 4 - Processes are monitored and measured 5 - Best practices are followed and automated Start from a Maturity Model

37
Bina Nusantara University 36 How Does COBIT Link to IT Governance? IT Governance Goals Responsibilities Control Objectives Business Needs to Direction (IT Strategy and Policy) Control, Risk and Requirements Information the Achieve Its Objectives Information (IT Assurance)